Security leaders can’t protect what they can’t see. Organizations making a move to the public cloud, or that are already in the cloud, face visibility challenges.

Visibility is everything when it comes to cloud security strategy. In an ideal environment, end-to-end visibility across multi-cloud grants teams the contextual knowledge necessary to determine and then manage risk in their cloud effectively.

According to a recent survey of 200 enterprise-class IT and security professionals in North America and Western Europe, two-thirds of respondents do not have cloud visibility confidence. Additionally, for the first time, the Cloud Security Alliance (CSA) listed cloud usage visibility in its “Top Threats to Cloud Computing: The Egregious 11” biennial report. According to CSA, visibility-related risk leads to a lack of governance, awareness and security, resulting in cloud security data breaches.

Cloud visibility challenges

Many companies are struggling to see what identities have access to the data in their clouds, and more importantly, what they are doing with it. Enterprises everywhere are having significant struggles with lack of visibility, leading to risks that they might not even be aware of. Here are the top challenges:

Challenge 1: Ensuring the security of people and machine identities

Cloud security teams face massive visibility challenges with respect to identities and their effective permissions. Cloud deployments have hundreds of resources running at any one time, with people and countless machine identities accessing them. Ensuring the security of all these identities poses a unique challenge.

Identities can assume a role with specific permissions and then use that role’s rights to assume another role, leading to excessive permissions that violate least privilege. This is the cloud equivalent of lateral movement — a dangerous opportunity. Adding insult to injury, the abuse can be completely concealed from monitoring services with intermittent auditing timeframes and lack of visibility from inadequate tooling. What complicates matters more is that privileged identities can switch roles as required, producing temporary permission chains of escalated privilege that are left unchecked.

Solution: Implement continuous effective permission monitoring

Security teams are relying on identity management built with the concept of “one (human) user, one identity.” This type of management can’t see new kinds of cloud-specific privilege abuses. The ability to continuously monitor effective permissions is needed. An identity’s potential access paths are not linear, but they are part of a web of interlocking roles, privilege escalation capabilities, permissions, trust relationships and user groups. A graphing function that exposes this web and provides detailed visibility into every identity is the only way to ensure least privilege enforcement.

Challenge 2: Ensuring data security

Teams must track a staggering amount of data accessed in their environments. At any given moment, identities are accessing thousands of data stores. All this data access without end-to-end visibility across enterprise cloud environments is a serious risk. How are teams supposed to protect their most valuable asset, their data, when they don’t even know where it all is and who/what is accessing it?

Traditional data protection tools lack contextual understanding of data, such as the sensitivity of personal identifiable information (PII). Sensitive PII could be sitting in a misconfigured AWS S3 bucket, for example, which isn’t labeled. Without contextual visibility into the data, security teams won’t know it’s sitting there unprotected.

Even if they know where their sensitive data is, cloud security teams face the challenges of knowing who has access to it, what they are doing with it and understanding where it is moving. Data can reside and move across multi-cloud environments, but teams find it challenging to continuously monitor the data without a standardized, singular view of data movement.

Solution: Holistic data inventory and classification

Knowing where data lies is fundamental, but security leaders shouldn’t treat all data the same. Data classification is a foundational step in cloud security risk management. Use machine learning to automate the process of discovering, classifying, labeling and applying protection rules to data. This helps organizations better understand where sensitive information is stored and how it’s being accessed.

The ability to classify and label all sensitive data fields in unstructured and structured data sources with context helps organizations understand its data risk position with actionable insights limiting the risk of data breaches or non-compliance. Equally, if teams have visibility into the context and content of their organizations’ data, their management team can make a determination on the sensitivity of the data and prioritize the necessary data and platform security programs required.

Challenge 3: Overcoming complexity

The cloud is complex by nature, and that complexity compounds risk if not managed properly. This risk adds up when developers rapidly accelerate production schedules without forethought into the complexity introduced. Stakeholders often want to speed up development, but there lies a gross misunderstanding that the cloud is inherently secure. This is not the case. This assumption leads to risks compounding across the cloud environment and is oftentimes left unchecked… until the wrong person finds them.

Solution: Intelligent workflows and automation break down complexity

Organizations need to work smarter and simplify the views of their cloud environment to break down complexity. Simplify cloud operations with intelligent workflows and automation. Organizations need to automate not just the discovery, but also the routing of problems to the teams and individuals responsible to fix them.

Effective automation involves much more than writing a lambda "bot." It means automatically identifying, classifying and prioritizing problems with machine learning and graph analytics. The goal is to automatically involve all teams in the security process.

Challenge 4: Different security models across CSPs

Cloud security models are handled differently with no standardization across all the stacks available — Amazon Web Services (AWS), Microsoft (Azure), and Google Cloud Platform (GCP). Their cloud security models do not address third-party data stores and often require the use of low-level tools where just one misconfiguration can lead to disastrous outcomes. Cloud provider security tools won’t track data once it leaves their cloud, resulting in visibility gaps.

Solution: Normalization of security across all 3 content security policies (CSPs)

Implementing controls around what has access to data is fundamental to any data security and compliance program. Because each unique cloud service provider delivers services and APIs to manage access to data for their stack, organizations will need to standardize across all the stacks available, third-party data stores and tooling. Normalized views and control of cloud identity and data access will help organizations see all data access risks across all environments.

Security can be the scariest aspect of cloud complexity. Lack of visibility into cloud risks can be terrifying, but it doesn’t have to be that way. 

Teams can effectively identify and manage cloud security risks at the speed and scale of the cloud. It starts with ensuring that the cloud is secured correctly, having an accurate inventory of identities and sensitive data, and then continuously monitoring for deviations. From there, implement intelligent workflows to raise problems to the responsible teams as well as automation to enable risks to be managed at scale and speed. Cloud has changed the way data is secured — and how teams manage security risks to that data must change too.